Subscribe to the Non-Human & AI Identity Journal

Who is accountable when fraud moves outside the login screen?

Accountability usually sits with multiple owners at once: IAM for assurance policy, fraud teams for abuse patterns, and product or operations teams for fallback journeys. The practical test is whether any user path allows a weaker channel to override a stronger one. If it does, ownership has not been assigned to the real control point.

Why This Matters for Security Teams

When fraud moves outside the login screen, the control problem is no longer just authentication. It becomes a question of who owns step-up checks, fallback channels, device trust, recovery workflows, and exception handling. That is where account takeover, synthetic identity abuse, and social engineering collide. NIST SP 800-53 Rev. 5 treats identity proofing, access enforcement, and incident response as distinct control areas, which mirrors the reality that one team cannot own every fraud decision.

The practical failure mode is usually not a missing login control. It is a weaker path, such as SMS recovery, help desk override, or manual review, that silently bypasses stronger assurance. NHIMG research on the Ultimate Guide to NHIs shows how weak governance around non-human identities, secrets, and excessive privilege creates the same pattern in machine-driven journeys: an approved path becomes the real attack path. In practice, many security teams encounter account compromise only after a fallback flow has already been abused, rather than through intentional fraud testing.

How It Works in Practice

Accountability should follow the control point, not the org chart. If a product team owns account recovery, that team owns the risk of recovery abuse. If IAM defines assurance levels, IAM owns whether those levels are enforceable. If fraud operations can override decisions, fraud owns the override policy and auditability. Security leadership typically needs a shared operating model that maps each user journey to a named owner, an evidence trail, and a threshold for step-up or denial.

That model works best when it is explicit about where trust changes. For example:

  • Authentication proves who is presenting the request.
  • Risk engines decide whether the request looks normal, suspicious, or impossible.
  • Recovery and support paths define what happens when the primary path fails.
  • Logging and case management preserve evidence for dispute resolution and tuning.

Current guidance suggests using least privilege for humans and NHIs alike, because fraud often propagates through over-permissive service accounts, API keys, and automation that can trigger account changes without strong human review. NHIMG’s research on JetBrains GitHub plugin token exposure and Hard-Coded Secrets in VSCode Extensions shows how exposed credentials can move abuse far beyond the login screen and into developer and operational workflows. Pairing that with NIST SP 800-53 Rev. 5 Security and Privacy Controls helps teams anchor ownership in control families rather than vague shared responsibility. These controls tend to break down when recovery paths are handled ad hoc by support teams because the exception process becomes the easiest route for an attacker.

Common Variations and Edge Cases

Tighter fraud controls often increase friction, requiring organisations to balance conversion against abuse resistance. That tradeoff is real, especially for consumer businesses, marketplaces, and high-volume support operations where false positives can create churn. Best practice is evolving, but there is no universal standard for exactly how much friction is acceptable in every journey.

Edge cases usually appear where multiple teams can approve the same outcome. A card-not-present merchant may have fraud, payments, and product all influencing a refund flow. A bank may have IAM, call centre operations, and risk teams touching account recovery. In those environments, accountability should be documented at the decision gate, not assumed at the department level. If no one owns the override log, then no one owns the abuse it enables.

One recurring gap is automation. NHIs often perform the very actions fraudsters target, including password resets, entitlement changes, and notification delivery. That means abuse review has to include machine identities and secrets hygiene, not just human authentication. The broader NHI risk picture documented by NHI Mgmt Group shows why weak visibility into service accounts and long-lived credentials can turn an exception process into a persistent fraud channel.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Fraud paths often exploit over-privileged machine identities and secrets.
OWASP Agentic AI Top 10 A-03 Autonomous decision chains can bypass intended fraud controls.
CSA MAESTRO GOV-2 Shared accountability is central when multiple teams own agentic or automated paths.
NIST AI RMF GOVERN AI governance requires clear accountability for automated decisions and exceptions.
NIST CSF 2.0 PR.AA-01 Identity assurance and access enforcement are part of fraud-resistant account control.

Evaluate agent and workflow actions at runtime before they can invoke sensitive journeys.